Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)

Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)

libpurple3 compatibility

Encrypted account passwords are preserved until the new one is set.

Fix loading Google Talk and Facebook XMPP accounts.

Windows-Specific Changes

Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697)

Updates to dependencies ?NSS 3.17.1 and NSPR 4.10.7

Finch

Fix build against Python 3. (Ed Catmur) (#15969)

Gadu-Gadu

Updated internal libgadu to version 1.12.0.

Groupwise

Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3696)

IRC

Fix a possible leak of unencrypted data when using /me command with OTR. (Thijs Alkemade) (#15750)

Fix handling of SSL certificates with timestamps in the distant future when using libnss. (#15586)

Impose maximum download size for all HTTP fetches.

Pidgin

Fix crash displaying tooltip of long URLs. (CVE-2013-6478)

Better handling of URLs longer than 1000 letters.

Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)

Windows-Specific Changes

When clicking file:// links, show the file in Explorer rather than attempting to run the file. This reduces the chances of a user clicking on a link and mistakenly running a malicious file. (Originally discovered by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)

Prevent spoofing of iq replies by verifying that the 'from' address matches the 'to' address of the iq request. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen, fixed by Thijs Alkemade) (CVE-2013-6483)

When a conversation has reached the maximum limit on the number of smileys, display the text representation of the smiley properly when it contains HTML-escapable characters (e.g. "<3" was previously displayed as "<3").

Drop dependency on GdkGC and use Cairo instead.

New UI hack to assist in first-time setup of Facebook accounts with icon from Jakub Szypulka.

Don't hide the buddy list if there is no notification area in which to put the icon. (#12129)

libpurple:

Fix multipart parsing when '=' is included in the boundary for purple_mime_document_parse. (Jakub Adam) (#11598)

AIM and ICQ:

Buddies who unset their status message will now be correctly shown without a message in your buddy list. (#12988)

File transfer requests will no longer cause a crash if you delete the file before the other side accepts.

Received files will no longer hold an extra lock after completion, meaning they can be moved or deleted without complaints from your OS.

Buddies who sign in from a second location will no longer cause an unnecessary chat window to open.

Support setting an animated GIF as a buddy icon.

Numerous code cleanups and memory savings.

MySpace

Fix a leak and crash when retrieving buddy icons.

XMPP

Less likely to send messages to a contact's idle/inactive resource. Previously, if a message was received from a specific resource, responses would be sent to that resource until either it went offline or a message is received from another resource. Now, messages are sent to the bare JID upon receipt of any presence change from the contact.

Added support for the SCRAM-SHA-1 SASL mechanism. This is only available when built without Cyrus SASL support.

When getting info on a domain-only (server) JID, show uptime (when given by the result of the "last query") and don't show status as offline.

Fix getting info on your own JID.

Wrap XHTML messages in

, as described in XEP-0071, for compatibility with some clients.

Don't do an SRV lookup for a STUN server associated with the account if one is already set globally in prefs.

Don't send custom smileys larger than the recommended maximum object size specified in the BoB XEP. This prevents a client from being disconnected by servers that dislike overly-large stanzas.

Fix receiving messages without markup over an Openfire BOSH connection (forcibly put the stanzas in the jabber:client namespace).

The default value for the file transfer proxies is automatically updated when an account connects, if it is still the old (broken) default (from 'proxy.jabber.org' to 'proxy.eu.jabber.org').

Fix an issue where libpurple created duplicate buddies if the roster contains a buddy in two groups that differ only by case (e.g. "XMPP" and "xmpp") (or not at all).

Yahoo

Don't send and tags. (Fartash Faghri)

Support PingBox. PingBoxes will appear as pbx/PingBoxName. (Kartik Mohta)

Pidgin

Fix CVE-2010-0423, a denial of service attack due to the parsing of large numbers of smileys. (Discovered by Antti Hayrynen)

Use the "hand" cursor when hovering over usernames in chat history to indicate that the username is an actionable item.

Double-clicking usernames in chat history will open an IM with that user.

Put an icon on the "Filter" button in the debug window.

Don't treat "/messages/like/this " as commands.

Explicitly mark user interaction when inserting smilies from the toolbar so "Undo" correctly removes these smilies.

Clicking "New" or "Saved" in the status selector menu while typing a status message no longer keeps the status entry area stuck in "typing" mode forever.

Show tooltips for ellipsized conversation tabs. On older systems, tooltips will show for all tabs.

The File Transfers and Debug Window windows are no longer created as dialogs. These windows should now have minimize buttons in many environments in which they were previously missing (including Windows).

Smiley themes with Windows line endings no longer cause theme descriptions not to be displayed in the theme selector.

Rebindable 'move-first' and 'move-last' actions for tree widgets. So it is possible to jump to the first or last entry in the buddy list (and other such lists) by pressing home or end key (defaults) respectively.